By Avinash Koli
The Digital Personal Data Protection (hereafter DPDP 2023) Bill finally has its time in the limelight in the legislature, signalling a pivotal turning point in India’s quest to protect its digital space. Until it becomes a law, there is anarchy in the data regulatory environment of India, a country with 47% of the population using the internet. While the current version of the bill has been getting a mixed response, it has missed the need of the hour – Privacy by Design or Default (hereafter the PbD). Surprisingly, not only did the bill choose to skip it, but the discussion around it outside the government is also inadequate. Unlike the corresponding legislation of other countries, the bill presented in the parliament has no explicit provision for PbD.
Every society is characterised by a set of personal, social-cultural, and political norms. Several countries have adopted internationally recognised privacy principles to develop their privacy regulations. However, without a closer investigation of the social norms that define a society, applying principles, be it of any kind, could result in a recipe for disaster. It is more so difficult to measure and identify social norms concerning (information) privacy because a) there is a lack of any definite privacy definition accepted worldwide, b) which alludes that privacy as a concept is highly subjective, it may vary from country to country, region to region, community to community, etc. That is where the utility of principles comes in, which can be broad-based, and can be encoded into regulations (which can take any form – policy or legislation). The principles serve as a proxy for social norms, a set of shared values and the personal adjustment process of a society. Hence, a principle-based approach becomes pertinent as technology is evolving rapidly, leaving regulation to play catch-up.
Modern technology, to a large extent, is invariably dependent on a large and significantly valuable set of data for its application. However, when these data points are aggregated to become big data, they create fundamental privacy issues. The privacy principles come in direct conflict with the flow of big data from its generation to processing. Hence to avoid such conflict with the very nature of how big data is generated, collected and processed, scholars argue for investigating the harm generated at the stage of the processed output rather than at the data collection stage. However, waiting for harm to manifest would be a ‘lazy approach’ to the regulatory affairs in the privacy domain.
To the rescue, one of the foundational works recognised in the field of privacy principles is by Ann Cavoukian, which lists seven principles defining PbD. These principles, when employed as a guide for data regulation, can effectively influence both technologists and policymakers. PbD takes a proactive approach to privacy protection rather than a reactive approach. It advocates for embedding privacy protection in the design of the technology and innovation system. Since digital technology is a prevalent subject of regulation in today’s world, it becomes important to take PbD as an essential component to be included in the comprehensive set of internationally accepted privacy principles frameworks.
Privacy (or Data Protection) by Design has been an essential principle with regard to building technical, business and policy infrastructures that are privacy-friendly in their very development. The push for technologists and policymakers needs to be a law that guides and acts as a core for privacy-friendly innovations. Hence the role of lawmakers cannot be stressed more in facilitating PbD applications.
India, in its Personal Data Protection Bill (hereafter PDP) 2019, had Clause 22, which mentioned PbD policy. While the European Union’s General Data Protection Regulation (hereafter GDPR) Article 25 names it as “data protection by design and default policy.” The regulatory measures along these lines argue for policies, practices and procedures to ensure privacy-enabled collection, processing and transfer of personal data. Additionally, GDPR Clause 3 under Article 25 and PDP Subclause (3) of Clause 22 mandate certification for the privacy by design policy from the authority “may be” used as an instrument ensuring compliance with all the requirements of this policy. India’s PDP Subclause (4) of Clause 22 mandated the data fiduciaries to publish the certification on their website as an additional measure towards the aim of this policy.
China’s Personal Information Protection Law (PIPL) 2021 and Singapore’s Personal Data Protection Act (PDPA) 2012, while having provisions to make sure that the processing or handling of personal data is undertaken according to the prescribed privacy principles and best practices, do not explicitly mention “privacy by design” or “data protection by design.” Rather their respective legislation mentions “policies and practices” in the case of PDPA or “handling of personal information following principles” in the case of PIPL. Like India’s earlier draft DPDP 2022, the latest 2023 bill is silent about PbD, leaving out a chance to mould the sections of the bill into perhaps the first version of the privacy legislation worldwide equipped to deal with the newer and complex (algorithmic) innovations having a prospect of harming privacy.
The literature around the legal and policy conceptualisation of PbD by regulation is catching up with a few significant efforts. While the efforts are in the direction of defining, mapping and evaluating existing privacy regulations, we need to rethink the phrasing of our legal documents concerning privacy protection. We need to lead by example by incorporating the conceptual understanding of PbD and other such principles into the law. Hence there is a need for ‘design-thinking’ not only in privacy, innovation, and competitiveness but also in lawmaking. Let this be a new social contract for the policymakers.
The author is a tech policy professional based out of Delhi. He can be reached at avikoli14863@gmail.com
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.